Taking back control of Windows Update: Install Updates when you want to!

For years we were more than unsatisfied with the options we had to choose from to patch our Microsoft Windows Servers. Without additional utility you are restricted to the few options Group Policy offers. So as I am always searching for a simple but efficient solution to such a painful problem, I combined two fantastic tools, to a powerful Windows Update Scheduler: PDQ Deploy and ABC Update.

tl;dr: If you choose option “3 – Auto download and notify for install” for your WSUS Group Policy, you can take any advanced Task Scheduler like PDQ Deploy in combination with ABC-Update to install Windows Updates scheduled the way YOU want it to be!

Prologue, where is my problem?

First let’s take a look at the options Microsoft offers us and why I refuse to rely on those. If I’m not completely mistaken the only Policy to choose when to patch Windows Updates has been “Configure Automatic Updates” since ever:

No option, the files would be cached by the Server but never installed

4 – Auto download and schedule the install

That looks promising, the server downloads and install when you want

5 – Allow local admin to choose setting

No option, as soon as you administrate 10+ servers you will loose track

So if you choose option 4, you can take control of the day and hour:

But whats what? You can only plan on a weekly base. No monthly option. Mh ok. And what if you need to stagger updates? Maybe your SQL Server needs to reboot before the Application Server? Then you either have to build different Organizational Units (OUs) in your Active Directory, each with a different GPO attached with a different time defined, or you link several GPOs to the same OU and work with Advanced Delegation.
For me, this is absolutely no option! I personally think that this is way to complicated and error-prone.

Act 2: A promising utility

What I needed was a way to trigger Windows Updates by an external utility without the need to use the built in GUI. And an advanced Task Scheduler, but I guess the Windows Server Task Scheduler could also work.
We already have such an advanced Task Scheduler, as we use PDQ Deploy to patch nearly every runtime and application on our Workstations and Server. (i. e. Java, Flash, Notepad++, FileZilla, WinScp, …)
I already knew about BatchPatch as a way to control Windows Update via command line, but it just didn’t fit me. (But you could of course take a look!)

It can install -> reboot -> search for updates -> install -> reboot -> search for updates -> and so on until there are no updates left, all with one command!

I writes beautiful log-files

It can report to you via E-Mail

With ABC-Update you get the updates exactly when you want them, and can also define max reboots, use filtering options to select updates based on patch dates, KB Articles and update categories.
The tool has a GUI and a command line version and this enable you to script update operations also if you have that need. Because you can also call the tool from a command line it is well fitted to be used with software distribution tools like ABC-Deploy, MS SCCM and others.

You are in control. No more waiting for Automatic updates.
Tested OK from Windows XP/2003 and up

This gap between what Microsoft is offering out of the box, and what many admins really wants is what the ABC-Update tool is made to fill.

Suddenly everything fitted together. So enough with the talking, on to the real-life examples!

Solution, I no longer have a problem!

First of all I built two ABC-Update.exe command line strings which fit all my needs:

Make sure there always happens a reboot when the program Exits, so we keep the boot order of our Windows Servers

Second, the GPO. As we don’t want Microsoft to take control, we set the following GPOs at least. This is extremely important, as this settings dictate the Windows Server to always cache, but never install Updates. And this is what we want, cause taking back control over Windows Update is our goal.

Allow Automatic Updates immediate installation

Disabled

Always automatically restart at the scheduled time

Disabled

Configure Automatic Updates Configure automatic updating:

Enabled 3 – Auto download and notify for install

Specify intranet Microsoft update service location Set the intranet update service for detecting updates: Set the intranet statistics server:

Enabled http://wsus.int.corp.de:8530 http://wsus.int.corp.de:8530

Enable client-side targeting Target group name for this computer

Enabled WinServer

Third, the Task Scheduler. As Microsoft Group Policy didn’t offer me what I needed we switched to PDQ Deploy, but as I said, any Task Scheduler should do it. For us, two things were really important:

We want to patch AND reboot every Windows Server in each customer Domain once per month

The Server has to reboot in the correct order, to result in a working configuration
DC -> SQL -> Fileserver -> Application Server -> XenApp -> etc

This resulted in the following:

I hope I could give someone an inspiration about how to deal with Windows Updates beyond the possibilities Microsoft offers us. If you have any questions, please leave me a comment.